Skip to content

Commit

Permalink
Merge pull request #13941 from DataDog/update-appsec-docs-for-ruby-1-1
Browse files Browse the repository at this point in the history
Update docs for AppSec on Ruby 1.1.0
  • Loading branch information
kayayarai authored May 26, 2022
2 parents 6aab81a + e68c7df commit 9ef7768
Show file tree
Hide file tree
Showing 2 changed files with 119 additions and 20 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ further_reading:
text: "Troubleshooting Application Security Monitoring"
---

You can monitor application security for Ruby apps running in Docker, Kubernetes, AWS ECS, and AWS Fargate.
You can monitor application security for Ruby apps running in Docker, Kubernetes, AWS ECS, and AWS Fargate.

{{% appsec-getstarted %}}

Expand All @@ -25,61 +25,97 @@ You can monitor application security for Ruby apps running in Docker, Kubernetes
1. **Update your Gemfile to include the Datadog library**:

```ruby
gem 'ddtrace', '~> 1.0'
gem 'ddtrace', '~> 1.1'
```

For information about which language and framework versions are supported by the library, see [Compatibility][1].

For more information about upgrading from a `dd-trace` 0.x version, see [the Ruby tracer upgrade guide][2].

2. **Enable ASM**, either in your code:
2. **Enable ASM** by enabling the APM tracer. The following options describe a quick setup that covers the most common cases. Read [the Ruby tracer documentation][3] for more details.

You can enable ASM either in your code:

{{< tabs >}}

{{% tab "Rails" %}}
Either enable the tracer through auto-instrumentation by updating your Gemfile:
Enable the APM tracer by adding an initializer in your application code:

```ruby
# config/initializers/datadog.rb

require 'datadog/appsec'

Datadog.configure do |c|
# enable the APM tracer
c.tracing.instrument :rails

# enable ASM
c.appsec.enabled = true
c.appsec.instrument :rails
end
```

Or enable the APM tracer through auto-instrumentation by updating your Gemfile to auto-instrument:

```ruby
gem 'ddtrace', '~> 1.0', require: 'ddtrace/auto_instrument'
gem 'ddtrace', '~> 1.1', require: 'ddtrace/auto_instrument'
```

Or enable the tracer by adding an initializer in your application code:
And also enable `appsec`:

```ruby
# config/initializers/datadog.rb

require 'datadog/appsec'

Datadog.configure do |c|
# enable the APM tracer
# not needed if `gem 'ddtrace', require: 'ddtrace/auto_instrument' is used
c.tracing.instrument :rails
# the APM tracer is enabled by auto-instrumentation

# enable ASM
c.appsec.enabled = true
c.appsec.instrument :rails
end
```

{{% /tab %}}

{{% tab "Sinatra" %}}
Enable the tracer by adding the following to your application's startup:
Enable the APM tracer by adding the following to your application's startup:

```ruby
require 'sinatra'
require 'ddtrace'
require 'datadog/appsec'

Datadog.configure do |c|
# enable the APM tracer
c.tracing.instrument :sinatra

# enable appsec for Sinatra
# enable ASM for Sinatra
c.appsec.enabled = true
c.appsec.instrument :sinatra
end
```

Or enable the APM tracer through auto-instrumentation:

```ruby
require 'sinatra'
require 'ddtrace/auto_instrument'

Datadog.configure do |c|
# the APM tracer is enabled by auto-instrumentation

# enable ASM for Sinatra
c.appsec.enabled = true
c.appsec.instrument :sinatra
end
```
{{% /tab %}}

{{% tab "Rack" %}}
Enable the tracer by adding the following to your `config.ru` file:
Enable the APM tracer by adding the following to your `config.ru` file:

```ruby
require 'ddtrace'
Expand All @@ -89,7 +125,7 @@ You can monitor application security for Ruby apps running in Docker, Kubernetes
# enable the APM tracer
c.tracing.instrument :rack

# enable appsec for Rack
# enable ASM for Rack
c.appsec.enabled = true
c.appsec.instrument :rack
end
Expand Down Expand Up @@ -141,7 +177,7 @@ spec:
{{% /tab %}}
{{% tab "AWS ECS" %}}
Update your ECS task definition JSON file, by adding this in the environment section:
Update your ECS task definition JSON file, by adding this in the environment section:
```json
"environment": [
Expand Down Expand Up @@ -175,3 +211,4 @@ env DD_APPSEC_ENABLED=true rails server

[1]: /security_platform/application_security/setup_and_configure/?code-lang=ruby#compatibility
[2]: https://github.com/DataDog/dd-trace-rb/blob/master/docs/UpgradeGuide.md#from-0x-to-10
[3]: /tracing/setup_overview/setup/ruby/
Original file line number Diff line number Diff line change
Expand Up @@ -292,11 +292,49 @@ if span, ok := tracer.SpanFromContext(request.Context()); ok {
{{< programming-lang lang="ruby" >}}
Use the the Ruby tracer's API for adding custom tags to a trace, and add user information so that you can monitor authenticated requests in the application.
Use one of the following APIs to add user information to a trace so that you can monitor authenticated requests in the application:
User monitoring tags are applied on the trace and start with the prefix `usr` followed by the name of the field. For example, `usr.name` is a user monitoring tag that tracks the user’s name.
{{< tabs >}}
The example below shows how to obtain the root span and add relevant user monitoring tags:
{{% tab "set_user" %}}
Starting with `ddtrace` 1.1.0, the `Datadog::Kit::Identity.set_user` method is available. This is the recommended API for adding user information to traces:
```ruby
# Get the active trace
trace = Datadog::Tracing.active_trace

# Set mandatory user id tag
Datadog::Kit::Identity.set_user(trace, id: 'd131dd02c56eeec4')

# Or set any of these optional user monitoring tags
Datadog::Kit::Identity.set_user(
trace,

# mandatory id
id: 'd131dd02c56eeec4',

# optional tags with known semantics
name: 'Jean Example',
email:, '[email protected]',
session_id:, '987654321',
role: 'admin',
scope: 'read:message, write:files',

# optional free-form tags
another_tag: 'another_value',
)
```
{{% /tab %}}
{{% tab "set_tag" %}}
If `Datadog::Kit::Identity.set_user` does not meet your needs, you can use `set_tag` instead.
User monitoring tags are applied on the trace and start with the prefix `usr.` followed by the name of the field. For example, `usr.name` is a user monitoring tag that tracks the user’s name.
The example below shows how to obtain the active trace and add relevant user monitoring tags:
**Notes**:
- Tag values must be strings.
Expand All @@ -309,14 +347,21 @@ trace = Datadog::Tracing.active_trace
# Set mandatory user id tag
trace.set_tag('usr.id', 'd131dd02c56eeec4')

# Set optional user monitoring tags
# Set optional user monitoring tags with known sematics
trace.set_tag('usr.name', 'Jean Example')
trace.set_tag('usr.email', '[email protected]')
trace.set_tag('usr.session_id', '987654321')
trace.set_tag('usr.role', 'admin')
trace.set_tag('usr.scope', 'read:message, write:files')

# Set free-form tags:
trace.set_tag('usr.another_tag', 'another_value')
```
{{% /tab %}}
{{< /tabs >}}
{{< /programming-lang >}}
{{< programming-lang lang="php" >}}
Expand Down Expand Up @@ -386,11 +431,28 @@ The data that you collect with Datadog can contain sensitive information that yo
By default, ASM collects information from suspicious requests to help you understand why the request was flagged as suspicious. Before sending the data, ASM scans it for patterns and keywords that indicate that the data is sensitive. If the data is deemed sensitive, it is replaced with a `<redacted>` flag, so you observe that although the request was suspicious, the request data could not be collected because of data security concerns.
To protect users' data, sensitive data scanning is activated by default in ASM. You can customize the configuration by using the following environment variables. The scanning is based on the [RE2 syntax][2], so to customize scanning, set the value of these environment variables to a valid RE2 patten:
To protect users' data, sensitive data scanning is activated by default in ASM. You can customize the configuration by using the following environment variables. The scanning is based on the [RE2 syntax][2], so to customize scanning, set the value of these environment variables to a valid RE2 pattern:
* `DD_APPSEC_OBFUSCATION_PARAMETER_KEY_REGEXP` - Pattern for scanning for keys whose values commonly contain sensitive data. If found, the key, all corresponding values, and any child nodes are redacted.
* `DD_APPSEC_OBFUSCATION_PARAMETER_KEY_REGEXP` - Pattern for scanning for keys whose values commonly contain sensitive data. If found, the values and any child nodes associated with the key are redacted.
* `DD_APPSEC_OBFUSCATION_PARAMETER_VALUE_REGEXP` - Pattern for scanning for values that could indicate sensitive data. If found, the value and all its child nodes are redacted.
<div class="alert alert-info"><strong>For Ruby only, starting in <code>ddtrace</code> version 1.1.0</strong>
<p>You can also configure scanning patterns in code:</p>
```ruby
Datadog.configure do |c|
# ...

# Set custom RE2 regexes
c.appsec.obfuscator_key_regex = '...'
c.appsec.obfuscator_value_regex = '...'
end
```
</div>
The following are examples of data that are flagged as sensitive by default:
* `pwd`, `password`, `ipassword`, `pass_phrase`
Expand Down

0 comments on commit 9ef7768

Please sign in to comment.